Grow Your Business and Join MarketWorld Marketplace and Create Your Own Store front

Saturday, July 20, 2024

HomeCyberSecurityAnother MOVEit vulnerability found, as state and federal agencies reveal breaches

Another MOVEit vulnerability found, as state and federal agencies reveal breaches

Progress Software discovered a new MOVEit Transfer vulnerability, the company said in an advisory Thursday, marking the third since Progress disclosed a zero day associated with its managed file transfer services on May 31. The first vulnerability, CVE-2023-34362, was followed by a second, CVE-2023-35036, last week. 

Progress is encouraging all MOVEit Transfer customers to take immediate steps to address the new privilege escalation vulnerability, CVE-2023-35708, including measures to immediately disable all HTTP and HTTPs traffic to MOVEit transfer environments until organizations can apply the patch. 

“As we continue to investigate the issue related to MOVEit Cloud and MOVEit Transfer that we previously reported, an independent source has disclosed a new vulnerability that could be exploited by a bad actor,” a MOVEit spokesperson told Cybersecurity Dive in an emailed statement. “At this time, we have not seen indications that this new vulnerability has been exploited. We have developed a patch to address this issue and are communicating with customers on the steps they need to take to further harden their environments.”

The advisory came just after officials from the Cybersecurity and Infrastructure Security Agency disclosed a “small number” of federal agencies were impacted by the campaign, which CISA attributes to the Clop ransomware gang

Yet there is an opportunity for more compromise. Once vulnerabilities are disclosed, exploitation can become a bit of a race, experts say. When zero-days exploits become public, threat actors from around the world quickly move to target them, according to Rick Holland, CISO, office of the CISO, at ReliaQuest in an emailed statement to Cybersecurity Dive.

“If I were running MOVEit software, this new vulnerability would further justify taking the MOVEit services offline,” he said. “Given the velocity of these vulnerabilities, the attention and risks are too high to take a chance on additional vulnerabilities coming out. I would seek an alternative solution while Progress continues its investigation and code reviews.”

CISA considers the campaign largely opportunistic and not widespread, though several hundred victims have come forward and Clop has begun to release victim names on its leak site

“Although we are very concerned about this campaign and working on it urgently, this is not a campaign like SolarWinds that presents a systemic risk to our national security,” CISA Director Jen Easterly said on a press call Thursday. CISA did not respond to requests for comment about the newly disclosed vulnerability by publication time.

While it is unclear which MOVEit vulnerabilities Clop leveraged to compromise federal agency service, “the longer known vulnerabilities remain unmitigated, the higher the chances multiple threat actors exploit them,” Holland said. 

Sharon Martin, a product architect at Huntress, says it’s likely that most impacted federal agencies were compromised in the original vulnerability. “We’ve seen a delay from compromise until public ransom demand announcements, possibly as the threat actor is attempting private contact about ransom before going public,” Martin said. 

More organizations compromised

Clop claims it has exploited hundreds of organizations and many have started to come forward to disclose a breach. Emsisoft Threat Analyst Brett Callow said there are 63 known and confirmed victims as of Friday, plus an unspecified number of U.S. government agencies. 

The Louisiana Office of Motor Vehicles said “all Louisianans with a state-issued driver’s license, ID, or car registration” have likely had some data exposed, including their names, addresses, social security numbers and vehicle registration numbers, the governor’s office said Thursday in a statement. 

The Oregon Department of Transportation also had data accessed as part of the campaign, including the information of approximately 3.5 million Oregon ID and driver’s license holders.

“Our analysis identified multiple files shared via MOVEit Transfer that were accessed by unauthorized actors before we received the security alert,” the department said in a statement Thursday. “We do not have the ability to identify if any specific individual’s data has been breached.”

Reports surfaced of impact to federal agencies Thursday, including the Energy Department. DOE did not respond to requests for comment by publication time.

Source link

Bookmark (0)
- Advertisment -spot_img

Most Popular

Sponsored Business

- Advertisment -spot_img